Proactive Data Security in Hospitality and Travel: A CISO’s Playbook—Part 3

If you’ve been following our series, you’ll recall Stan Kreydin, a prominent CISO with extensive experience with industry giants like Travel + Leisure, Co., and his role as Global Chief Technology Officer at Wyndham Worldwide. Now the founder of Resogy, a fractional CISO, CTO, and cybersecurity advisory service, he brings to the table not just decades of expertise but also an unmatched understanding of the intricacies of data protection in the hospitality and travel industries.

Today, we bring you the third and final part of our Q&A with Stan from the recent webinar, “Protecting Customer Data in Hospitality, Travel & Entertainment.” We have distilled Stan’s vast knowledge into a go-to guide for CISOs and security teams in the industry, an invaluable resource for those looking to fortify their data defenses.

If you’re just joining us, you might want to check out Part 1 and Part 2 for valuable industry insights that can transform your approach to data security.

How the Travel and Hospitality Sector Can Proactively Prepare for Cyber Threats

What proactive data security protocols do you recommend to strengthen industry defenses against emerging threats?

Stan: The future doesn’t look like it’s going to get simpler anytime soon, so we must create a strategy that’s resilient, adaptive, and aligned with the specific needs and culture of the business. We must first recognize that our attackers only need to be successful once, whereas we need to be on guard all the time. This reality demands a sophisticated and sustainable continuous response strategy.

Control is key, especially when dealing with third parties where the endpoint is often beyond our control. Control approaches will depend on the persona of the user segment we are servicing. For example, front line staff, we would adopt strategies like using virtual terminal technology to mitigate risks and lock down local device data egress. The aim is to control the “front door,” moving the point of impact as far from the point of origination as possible. Essentially, remove any non-essential function from the tools that front line or field service teams use when interfacing with customers.

Enhanced security measures, such as mandating multifactor authentication and embracing adaptive solutions, are not just best practices; they are now necessities. We must be dynamic and adaptive in our approach, tailoring our defenses to specific risk profiles. Selecting the right tools for our needs is equally vital. My recommendation is almost always to opt for product-based tools that integrate seamlessly, avoiding technical and security debt that can lead to costly and unmanageable scenarios. There are reasons why companies like Okta, Box and Slack are being used in operating companies worldwide. They do one thing really well and integrate via robust APIs into other business systems.

Understanding the intricacies of access and privilege within our systems, including adopting a zero-trust model, is paramount. I’m not looking to throw buzzwords around here; the concepts of least privilege are not applied enough in many organizations. We need collaboration across the business landscape and a keen eye on education and awareness. Security isn’t just a technical challenge; it’s a cultural one. Our approaches must be intertwined with our business culture, relevant to our industry, and tailored to our audience. All this needs to be underpinned by the overall risk profile for a company, team and/or service.

5 actionable tips to strengthen your data security posture

Here are 5 actionable tips to strengthen your security posture:

1. Focus on Reaction as Much as Prevention: Recognize that no system is entirely impervious to threats; thus, it’s critical to have an effective reaction plan. Practice it, measure it, and ensure it evolves with your service portfolio.

2. Focus on Point of Origin vs Point of Control: An example is to deploy virtual terminal technology to eliminate direct access points for potential malicious activity and push the point of impact away from the point of origination, especially with third parties.

3. Implement a Zero-Trust Model: Ensure only necessary access is granted, based on roles and tasks. This is probably more difficult than it seems due to having to balance the culture and practices of an organization.

4. Choose Tools with Purpose for Sustainability: Invest in specialized, product-based tools that can integrate seamlessly and provide contextual data, avoiding unnecessary technical debt. Ensure they can integrate into the security tools portfolio and can be properly supported.

5. Prioritize Education: Regularly educate and raise awareness among all stakeholders, tailoring content to the audience. Test and measure efficacy and audit on a periodic basis.

Securing customer data in the hospitality industry requires a holistic, adaptive, and collaborative approach. It’s about marrying the technical with the human element, being aware of threats, and never losing sight of your business values and goals. It’s complex but achievable, and it’s our duty as industry professionals to rise to this challenge.

Concluding Thoughts

The expertise shared throughout this three-part blog series and accompanying webinar serve as the foundational building blocks for a more resilient and robust data defense in the hospitality, travel, and entertainment sectors. As industry security professionals, we must be responsive, thoughtful, and relentless in our pursuit of security and integrity. The insights and tips provided here aim to help you navigate this complex terrain with confidence. It’s not merely about managing threats; it’s about leading the way to safeguard your business and uphold the trust of your valued customers.

For more data protection insights and a comprehensive understanding of how these strategies fit into the broader industry landscape, be sure to watch the full webinar here.